Privacy and Confidentiality

State and federal laws require MPHC to protect confidential member and provider information from unauthorized disclosure. Many of these requirements also apply to the information we receive from providers. Participating providers are required to comply with all laws and regulations applicable to MPHC Health Plans, including but not limited to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Providers are also required to permit MPHC to review and duplicate member data and records related to services provided to carry out medical management and quality management programs.

Notice of Privacy Practices

This notice describes how member medical information may be used and disclosed and how members can get access to this information. In order to effectively provide and administer health plan services and benefits to our members, MPHC must collect, use, and disclose certain protected health information. This is only done, however, in accordance with MPHC privacy policies. MPHC is committed to ensuring the privacy and confidentiality of our Members' Protected Health Information (PHI) and to fully supporting the HIPAA provisions.

PHI is information about a member or his/her dependents, including demographic information, that can reasonably be used to identify the member and that relates to the member’s past, present, or future physical or mental health or condition, the provision of health care service to the member or our payment for that care. We are required by law to maintain the privacy of member PHI and to provide members with this notice about our legal duties and privacy practices with respect to PHI. We must follow the privacy practices described in this notice while it is in effect. This notice takes effect 8/1/2011 and will remain in effect until we replace or modify it.

How We May Use and Disclose PHI

In order to provide coverage for treatment and pay for those services, we need to use and disclose PHI in a number of different ways. MPHC staff is trained in the appropriate handling of PHI and execute their specific responsibilities using only that information required for their role. MPHC maintains and enforces policies governing the use of PHI by workforce members to ensure proper handling. Procedures to ensure these internal protections against mishandling of PHI throughout the workforce include provisions pertinent to physical and technical safeguards taken to protect verbal, written and electronic PHI from being mishandled by workforce members as they execute their responsibilities. The following are examples of the types of uses and disclosures of member PHI that we are permitted to make without member authorization:

For Payment

MPHC will use and disclose member PHI to administer health benefits plans or contracts, which may involve the determination of eligibility; claims payment; utilization review activities; medical necessity review; coordination of benefits, and responding to complaints, appeals, and external review requests. Examples include:

• Using PHI to pay claims that have been submitted to us by physicians and hospitals for payment
• Transmitting PHI to a third party to facilitate administration of a Flexible Spending Account, a Health Savings Account, a Health Reimbursement Account or a dental benefits plan
• Additional PHI of dependents may be shared with the plan subscriber when administering a family membership contract (e.g., the current status of co-payments and deductible amounts for dependents)

For Health Care Operations
MPHC may use and disclose member PHI for operational purposes. For example, PHI may be disclosed to staff members within MPHC, such as medical management, risk management, or quality improvement personnel, and others to:

• Assess the quality of care and outcomes in member cases and similar cases
• Learn how to improve our services and facilities through the use of internal and external surveys
• Determine how to continuously improve the quality and effectiveness of health care services our members receive
• Evaluate staff performance (i.e. review Member Service representatives’ call documentation)

We may also furnish information to our member’s Primary Care Provider and care team, so they may better manage and coordinate member care with other providers. Other potential reasons for sharing member PHI include:

• Providing members with information about treatment alternatives and health services that may be of interest as a result of a specific condition that the plan is case managing.
• Providing contact information to an external surveyor selected by the federal government to conduct routine satisfaction surveys
• Quality assessment and improvement activities, such as peer review and credentialing of our affiliated providers
• Accreditation by independent organizations such as the National Committee for Quality Assurance
• Performance measurement and outcomes assessment, health claims analysis, and services research
• Preventive health, early detection, disease management, case management, and coordination of care programs, including sending preventive health service reminders
• Underwriting, rate making, determining cost sharing amounts, administration of reinsurance policies
• Risk management, auditing, and detection of unlawful conduct
• Transfer of policies or contracts from and to other insurers, health plans, or third party administrators.
• Facilitation of any potential sale, transfer, merger, or consolidation of all or part of a “covered entity” with another covered entity, and due diligence related to that activity
• Other general administrative activities, including data and information systems management, customer service, and collecting premiums

For Treatment
MPHC may disclose member PHI to health care providers (doctors, dentists, pharmacies, hospitals and other caregivers) who request it in connection with member treatment. For example, we may provide a list of medications a member has received to emergency room clinicians treating that member in an effort to minimize the potential for adverse drug interactions. This information will only be furnished to emergency room clinicians with member consent, unless the member is unable to provide consent.

We may also disclose member PHI to health care providers in connection with preventive health initiatives, early detection programs, and disease management programs. For example, MPHC may disclose information to physicians involved in member care that includes a list of medications a member has filled (this will alert those physicians to those medications prescribed for that member by others and will help minimize potential adverse drug interactions). MPHC may also disclose information to a member’s Primary Care Provider to suggest a disease management or wellness program that could help improve that member’s health.

MPHC may contract with other organizations called business associates to provide services on our behalf. As these services are performed by our business associates, PHI is accessed or disclosed. In such cases, MPHC will enter into an agreement explicitly outlining the requirements associated with the protection, use, and disclosure of member PHI.

Other permitted or required uses and disclosures of PHI that do not require your authorization include the following.

Release of Information to Family/Friends
We may disclose member PHI to a family member, close friend, or other person identified by that member, to the extent the information is relevant to that person’s involvement in the member’s care or payment related to care. We provide our members with an opportunity to object to such a disclosure whenever it is reasonably practicable for us to do so.

Parents as Personal Representatives of Minors
In most cases, a member’s minor child’s PHI may be disclosed to that member. However, we may be required by law to deny a parent’s access to a minor’s PHI for certain diagnoses or treatment such as sexually transmitted diseases, family planning services, etc.

Right of Parent to Request Information About Dependents
The parent of a member covered as a dependent child may request an explanation of the payment or denial of any claim filed, except to the extent that the dependent has the right to withhold consent and the dependent does not affirmatively consent to notifying the parent. This does not impact the claims processing procedure and issuance of an Explanation of Benefits to subscribers for claims filed on behalf of dependents.

Workers’ Compensation
PHI may be used to comply with Workers’ Compensation laws/regulations.

Public Health Activities
PHI may be used or disclosed for public health activities such as assisting public health authorities or other legal authorities to prevent or control disease, injury, or disability, tracking of prescription drug or medical device problems, or for other health oversight activities.

Research
PHI may be used for research purposes, provided our Human Subjects Committee has reviewed and approved the proposed research process to ensure the privacy of member PHI.

Legal Proceedings
Member PHI may be disclosed in the course of any legal proceeding, in response to an order of a court or an administrative tribunal and, in certain cases, in response to a subpoena, discovery request, or other lawful process.

Health Oversight
Member PHI may be disclosed to a government agency authorized to oversee the health care system or government programs or its contractors, (e.g., the U.S. Department of Health and Human Services (HHS), a state insurance department, or the US Department of Labor) for activities authorized by law, such as audits, examinations, investigations, inspections, and licensure activity.

Marketing
In most circumstances, we are required by law to receive a member’s written authorization before we use or disclose health information for marketing purposes. However, we may provide our members with promotional gifts of nominal value.

De-identified Information
MPHC may use member PHI to create de-identified information or we may disclose member information to a business associate so that the business associate can create de-identified information on our behalf. When we de-identify health information, we remove information that identifies the member as the source of the information. Health information is considered de-identified only if there is no reasonable basis to believe that the health information could be used to identify the member.

Limited Data Set
We may use and disclose a limited data set that does not contain specific readily identifiable member information for research, public health and health care operations. We may not disseminate the limited data set unless we enter into a data use agreement with the recipient in which the recipient agrees to limit the use of that data set to the purposes for which it was provided, ensure the security of the data, and not identify the information or use it to contact any individual.

Although we do not anticipate the following situations will occur frequently, we are required by law to notify members of these additional potential uses and disclosures which can occur without a member’s written authorization.

As Required by Law
MPHC may use and disclose member information as required by law. For example, we may disclose information related to victims of abuse, neglect, or domestic violence or to assist law enforcement officials in performing their duties.

Government Functions
Member PHI may be disclosed to prevent serious threat to member health or safety or that of any person pursuant to applicable law. We may also disclose PHI to authorized federal officials for national security purposes. In addition, under certain conditions, we may disclose PHI if a member is, or was, a member of the Armed Forces, for activities deemed necessary by appropriate military authorities.

Inmates
Inmate PHI may be disclosed to a correctional institution or a law enforcement official having lawful custody, if the provision of such information is necessary to provide a member with health care, to protect member health and safety and that of others, or to maintain the safety and security of the correctional institution.

Descendants
PHI may be disclosed to funeral directors/coroners to enable them to carry out their lawful duties.

Organ/Tissue Donation
PHI may be used or disclosed to organ procurement organizations to facilitate cadaveric organ, eye, or tissue donation/transplantation purposes only with prior member authorization.

Please be assured that we do not sell, rent or license member PHI and member PHI is not marketed to anyone by us. In addition, special protections are given to “genetic information”. We are not permitted to use or disclose “genetic information” for underwriting purposes, which includes determining whether a member is eligible for Benefits; determining the premium for coverage; determining whether a member is subject to a pre-existing condition exclusion (if any); and other activities related to the creation, renewal, or replacement of coverage. “Genetic information” includes genetic tests of an individual or family member, family medical histories, and genetic services (e.g., counseling, education and evaluation of genetic information). Family members include immediate family members and extended family members, up to the fourth degree of kinship.

Uses and Disclosures that Require Prior Written Authorization

Uses and disclosures of PHI other than those listed above will be made only with written member authorization, unless otherwise permitted or required by law. Members may revoke such an authorization, at any time in writing, except to the extent that we have already taken an action based on a previously executed authorization.

If written authorization is obtained from a member, his or her PHI may be disclosed to his or her personal representative, which is a person (an adult or an emancipated minor) that MPHC recognizes as having the authority to act on behalf of another individual in making decisions related to health care. Contact our Member Services Department to obtain a personal representative designation form. Members should send the completed form to our Member Services Department. Members may revoke the authorization at any time by sending a letter to our Member Services Department at P.O. Box 9746, Portland, ME 04104-5040.

MPHC is unable to safeguard such PHI from re-disclosure by the person(s) that a member has authorized us to release it to. Finally, MPHC will not use member PHI to offer our members services or products unrelated to health care coverage or health status without member authorization. To request a copy of this Notice of Privacy Practices at any time, or obtain additional information about this notice, members may contact:

Member Services Department
Martin’s Point Health Care
P.O. Box 9746
Portland, ME 04104-5040

If you believe member privacy rights have been violated, you may file a written complaint with:

Privacy Officer/Compliance and Program Integrity
Martin’s Point Health Care
P.O. Box 9746
Portland, ME 04104-5040

You may also notify the Secretary of the Department of Health and Human Services (HHS). Send your complaint to:

Medical Privacy, Complaint Division, Office for Civil Rights (OCR)
United States Department of Health and Human Services
200 Independence Avenue SW, Room 509F, HHH Building
Washington DC, 20201

You may also contact OCR's Voice Hotline Number at 1-800-368-1019 or send the information electronically at www.hhs.gov/ocr. MPHC will not take retaliatory action against you if you file a complaint about our privacy practices.

Changes to This Notice

We may make a change to this notice and our privacy practices at any time and make the change effective for all PHI that we maintain, as long as the change is consistent with our current privacy policies or state or federal law. If we make an important change to our policies, we will promptly provide members with the new notice by mail and post it on our website.